Threat Research

DNS Early Detection – ROMCOM – Malicious DNS in the News | Infoblox

Securonix

Infoblox’s DNS Early Detection Program identifies potentially malicious domains before OSINT feeds publish them, enabling earlier blocking and reducing risk. Void Rabisu’s ROMCOM backdoor (aka Storm-0978/UNC2596) is used for espionage and financially motivated attacks, employing lookalike domains and a multi-stage kill chain against Ukraine, NATO members, and political figures, including female leaders. #VoidRabisu #ROMCOM #ROMCOMLITE #WPLSummit #LookalikeDomains #DNSEarlyDetection #Infoblox

Keypoints

  • Infoblox’s DNS Early Detection Program flags potentially dangerous domains earlier than OSINT, allowing blocking weeks or months in advance.
  • Void Rabisu (Storm-0978/UNC2596) is deploying ROMCOM variants (ROMCOM 4.0, ROMCOMLITE, PEAPOD) for espionage and financial attacks.
  • ROMCOM has recently targeted Ukraine and NATO governments, military personnel, and political leaders, including female leaders.
  • The ROMCOM Kill Chain relies on lookalike domains and staged downloads to deliver the backdoor and stage subsequent components (e.g., wplsummit.org lookalikes, then wplsummit.com, mctelemetryzone.com, redditanalytics.pm, netstaticsinformation.com, etc.).
  • Blocking any one ROMCOM domain could disrupt the Kill Chain and prevent payload execution; Infoblox identified these domains as suspicious on average ~91.6 days before OSINT designation.
  • WHOIS data shows suspicious threat intel feeds blocked ROMCOM domains about 1.6 days after domain registration, highlighting the value of early threat intel and DNS protection.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – The fake Women Political Leaders Summit site entices victims into downloading malicious attachments containing the ROMCOM backdoor. [In approximately early August 2023 Void Rabisu set up a fake version of the official website of the Women Political Leaders (WPL) Summit held in Brussels earlier in June. This malicious website utilized social engineering techniques to entice victims into downloading malicious attachments containing the backdoor.]
  • [T1583.001] Acquire Infrastructure: Domains – ROMCOM uses lookalike/malicious domains (e.g., Malicious Domain #1 wplsummit[.]com; Malicious Domain #3 redditanalytics[.]pm) as part of the kill chain to host components and communicate with C2. [Malicious Domain #1: wplsummit[.]com] [Malicious Domain #3: redditanalytics[.]pm]
  • [T1071.001] Web Protocols – The ROMCOM backdoor communicates with a C2 server to receive instructions and deploy additional payloads. [This, in turn, communicates with the C2 server]
  • [T1027] Obfuscated/Compressed Files and Information – The ROMCOM workflow downloads an encrypted file which works to set up the payload. [an encrypted file which works to set up the payload.]

Indicators of Compromise

  • [Domain] ROMCOM-related domains – wplsummit.com, redditanalytics.pm, and 4 more domains

Read more: https://blogs.infoblox.com/cyber-threat-intelligence/dns-early-detection-romcom/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint